Pro tip: Three ways to gain (or prevent) admin access to OS X

Jesus Vigo
Updated
Gain admin access to OS X
Gain admin access to OS X

Being a systems administrator can be a difficult job at times. Between managing the devices, network, and users, it's easy to get frazzled and overlook a hidden setting or lock down a configuration a little too stringently.

However, either extreme could inevitably lead to one of two scenarios: unauthorized users are granted elevated privilege(s) once the weakness is exploited; or the environment is so secure, even the IT department has been striped of their once almighty access.

Ironically, in the early days of my IT career, this occurred a few times while I was learning my way around Group Policy or Apple's Server Admin Tools. But one thing I always took away from it, the lesson to be learned: In order to best know how to fix it, you've got to learn how to break it.

So, for this article, why not mix the two? Take the three methods listed below and use them to regain access to an administrative level account--and in the process, learn how to protect against others attempting to do the same.

1. Recovery Partition

How does it happen?

The process is very simple. From a powered off state, power on the Mac and hold down the [Option] key prior to the Apple chime. Continue holding it until the Startup Manager loads. Next, select the Recovery Partition. After booting into the Recovery Partition, Select Utilities | Terminal. Enter the command "resetpassword" (without the quotes) and press the [Enter] key to bring up the password reset utility. From there, select the drive that contains the account you wish to reset, and select a user from the drop-down menu. Assign the account a new password, confirm the password, then click the Save button. Restart the computer, and upon loading OS X, simply enter the account name and newly reset password to gain administrative access.

Who can perform this?

Anyone with physical access to the node is capable of performing this reset method.

What can be done to protect against this?

Luckily, there are two such protections against this. First, enabling a Firmware Password, which can also be done from Utilities | Firmware Password Utility in the Recovery Partition, will set an EFI boot password to prevent users from booting to any device other than the default boot drive.

Second, enabling FileVault 2, which is Apple's whole disk encryption, protects accounts from the same password reset routines as non-encrypted accounts due to the way FV2 handles password resets independently from the OS. This means that while a user could possibly change the password of an admin account, since authentication gets handled a little differently in FV2, a user would first be required to authenticate with the previous password (unknown to him/her) before gaining access to the system.

2. Single User Mode

How does it happen?

When booting a Mac from a powered off state, hold down the [Command]+[S] keys prior to the Apple chime, and this will cause the computer to boot into Single User Mode (SUM).

The SUM is intended to be used as a tool to help IT and developers troubleshoot issues affecting OS X, particularly those pertaining to boot up. It does have the added benefit (and curse) of starting up with root access, also known as Superuser, which allows for commands to be executed at the administrative level. The node boots into SUM automatically, without credentials being requested.

By running the commands below, a user could reset the Apple Setup runtime back to its factory setting, causing the computer to run the process again during the subsequent reboot. Completing the setup process would also mean that a new administrator account would be created, thus compromising the system.

mount -uw /


rm /var/db/.AppleSetupDone


shutdown -h now

Who can perform this?

Just like the Recovery Partition, anyone with physical access to the node is capable of performing this reset method.

What can be done to protect against this?

Again, setting a firmware password would ensure that anyone trying to gain access would have to provide the firmware password before seeing the startup manager and entering SUM.

Additionally, FileVault 2 allows for access to SUM, but the user is required to first authenticate via FV2's login window.

3. Apple ID

How does it happen?

Loading the Users & Groups preference pane from System Preferences will reveal a listing of all the accounts stored locally in a particular computer. When selecting an account, a checkbox titled "Allow user to reset password using Apple ID" may be optionally checked.

The purpose of this is so that any user--who has a user account with an Apple ID tied to it--during the login screen can reset his/her password by entering his/her Apple ID and authenticating with that account instead.

As a side note, while it's possible and encouraged to keep both the Apple ID and iCloud as separate accounts, in many cases, they are one in the same. This adds another vector of attack, since if the Apple ID credentials are compromised, the iCloud account can be used to access the Find My iPhone app located in iCloud, and other devices tied to that account may be removed from the device list remotely without the administrator (or device owner) knowing until after the fact.

Who can perform this?

This is limited to only those who know or have access to the Apple ID credentials for accounts that have the reset by Apple ID checkbox enabled. The compromise, however, can occur remotely or locally, and it can also be executed by anyone who has access to the email account that's registered with the Apple ID account.

What can be done to protect against this?

The obvious choice would be to uncheck the Apple ID password reset box from the account. However, this has many more valid uses than negative and depends on your environment and/or enterprise policies.

A much more realistic, real-world approach would be to follow password best practices, such as choosing a strong password of at least 14 characters with a wide key space (using upper and lowercase letters, numbers, and characters). You should also change said password every 45-90 days, and make sure that the same password has not been used in at least the last six changes.

Keeping the email account tied to the Apple ID separate from a company or personal account is a good idea as well, since that will mitigate the possibility of detection through minimized usage.

Lastly, implementing 2-step verification for Apple ID and iCloud (and perhaps even the desktops in question), would curb most of the attempts to bypass restrictions.

Remember that computers have more than one way to perform a specific task, and put in the due diligence to test systems. This will go a long way to strengthen the security of the computers and continue sharpening the minds of those tasked with managing and maintaining them.

What other advice do you have for gaining access--or preventing access--to OS X? Share your experience in the discussion thread below.

Also see